Using JBoss-2.4.4 and Tomcat-4.0.1 integrated, with the default configuration, as long as you set up your auth.conf properly and have a working JBoss server-side login module, JBoss sets up the embedded tomcat with a JBossRealm that passes the credentials on through. Works like a charm!

How do you set up auth.conf "correctly"?
And can the JBoss supplied UsersRolesLoginModule be used?

Thanks
Roger

Hi,

I use JBoss 2.4.4 with tomcat 4.0.

I have a webapp configured like this :

<web-app>

<servlet-name>addEmploye</servlet-name>
<servlet-class>com.xtierdev.formation.controler.AjouterEmployeServlet</servlet-class>


<servlet-name>employeDetail</servlet-name>
<servlet-class>com.xtierdev.formation.controler.AfficherDetailEmployeServlet</servlet-class>


<servlet-name>listEmploye</servlet-name>
<servlet-class>com.xtierdev.formation.controler.GererListeEmployesServlet</servlet-class>

<servlet-mapping>
<servlet-name>addEmploye</servlet-name>
<url-pattern>/addEmploye</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>employeDetail</servlet-name>
<url-pattern>/employeDetail</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>listEmploye</servlet-name>
<url-pattern>/listEmploye</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Collection1</web-resource-name>
Protected area
<url-pattern>/employeDetail</url-pattern>
<url-pattern>/listEmploye</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
Domain Users
<role-name>Domain Users</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Collection2</web-resource-name>
<url-pattern>/addEmploye</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
Domain Users
<role-name>Domain Users</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>server-login</realm-name>
</login-config>
<security-role>
Domain Users
<role-name>Domain Users</role-name>
</security-role>
</web-app>

and a file standardjboss.xml beginning like this :


<security-domain>java:/jaas/server-login</security-domain>
...

and and server auth.conf file like this :

// Put login modules providing authentication and realm mappings
// for security domains.


simple {
// Very simple login module:
// any user name is accepted.
// password should either coincide with user name or be null,
// all users have role "guest",
// users with non-null password also have role "user"
org.jboss.security.auth.spi.SimpleServerLoginModule required;
};

// Used by clients within the application server VM such as
// mbeans and servlets that access EJBs.
client-login {
org.jboss.security.ClientLoginModule required;
};

// The default server login module
other {
// A simple server login module, which can be used when the number
// of users is relatively small. It uses two properties files:
// users.properties, which holds users (key) and their password (value).
// roles.properties, which holds users (key) and a comma-separated list of their roles (value).
// The unauthenticatedIdentity property defines the name of the principal
// that will be used when a null username and password are presented as is
// the case for an unuathenticated web client or MDB. If you want to
// allow such users to be authenticated add the property, e.g.,
// unauthenticatedIdentity="nobody"
org.jboss.security.auth.spi.UsersRolesLoginModule required
;

};
server-login
{
com.myriap.security.jaas.loginmodule.NtServerLoginModule required
ntDomainName="myriap"
unauthenticatedIdentity="jms"
;
};

a client auth.conf like this :

server-login
{
// Put your login modules that work without jBoss here

// jBoss LoginModule
org.jboss.security.ClientLoginModule required;

// Put your login modules that need jBoss here
};


When I deploy my webapp and use it no authentication dialog appear when accessing the protected areas of my webapp. Wath's wrong with this deployement ?

Thank's a lot.

Farid

I think the problem is that you are using BASIC login and this does not work with Tomcat 4.0.1, as I understand the documentation. You need to use FORM based login instead.

Roger